Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Dailymotion public bug bounty logo
Hall of Fame


50 € 

Dailymotion public bug bounty


Capitalized terms used in this vulnerability disclosure policy (“Policy”) and not otherwise defined have the meaning ascribed to such terms in our Terms of Use.

Security is one of Dailymotion’s core values. We highly value the time and effort invested in good faith by security researchers in helping us build a more secure platform for our partners and users. As such, we encourage the responsible disclosure of vulnerabilities related to Dailymotion’s products, websites and APIs. This Policy sets out the rules under which we expect the research and reporting of vulnerabilities to be conducted, as well as what you can expect from us in return.

If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.

If you would like to report a security issue, you may do so using any of the following channels:

1. Program Purpose

Maintaining top-notch security online is a community effort and a high priority for Dailymotion. We're lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. However, no matter how much effort we put into our security maintenance, vulnerabilities can still be present. To recognize the efforts of independent security researchers and the important role they play in keeping Dailymotion safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities (the "Bug Bounty Program" or "Program"). Please review the following Program rules before you report a vulnerability. By participating in this Program, you agree to be bound by these rules.

2. Rewards

Dailymotion may provide rewards to eligible reporters of qualifying vulnerabilities (see section 5 and 6 below).

Reward amounts may vary depending upon the severity of the vulnerability reported and based on the CVSS environmental score (Dailymotion will rate the base, temporal and environmental CVSS metrics). Dailymotion will determine in its sole discretion whether a reward should be granted and the amount of the reward. Our minimum reward is 50 Euros.

This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.

For reference, the following table outlines the scoring scale and bounty value for vulnerabilities affecting in-scope components (see section 3 below):

Rating | CVSS score | Bounty
None | 0.0 | No bounty
Low | 0.1 - 3.9 | 50 €
Medium | 4.0 - 6.9 | 70 - 150 €
High | 7.0 - 8.9 | 300 – 700 €
Critical | 9.0 - 10.0 | 700 - 1500 €

3. Scope

The sites and applications hosted under one of the following domains are within the scope for this Program:

  • *
  • *
  • *
  • our official Dailymotion applications on the Google play store, Apple app store, PlayStation and Microsoft store.
  • all visible services on AS41690

Vulnerabilities reported on other services or applications owned by Dailymotion are currently not eligible for monetary reward and will be handled as a responsible disclosure. As they come into scope, they will be added to this section.


We have several levels of privileges on the product: unauthenticated user, authenticated user, partner, partner with a verification badge. We invite you to go and explore the attack surface that is specific with each of these profiles as they are all in-scope.

  • Partner accounts are only granted to users after they have accepted the terms of our Dailymotion Partner Program Agreement.
  • If you want to test the features exposed only to partners with a verification badge, please file a request on so as to be provided with a verification badge for a previously-created partner account. For practical reasons, Dailymotion reserves the right to evaluate and deny such requests on a case by case basis; typically, we will only consider requests from hunters who have previously reported at least one qualifying vulnerability with a CVSS score of 3 or higher.

Highlight on Tartiflette, our home-grown GraphQL engine

Tartiflette is the new GraphQL engine which runs our API-centric platform. We are happily sharing it with the community - of course it's open source - and we are very keen in having security researchers look into it to find potential flaws and security issues, from more angles: source code, execution or fuzzing. And because it's aimed at soon becoming the core of our platform, it's of course included in the scope of this program.

You can find the source code on Github

While being functionally complete, not all requests are yet being pushed toward our Tartiflette engine. If you want to test it live on our infrastructure, make sure your add the following header to your authenticated requests in order to make sure you hit the correct engine which is being progressively rolled out:
X-DM-Flipper-Features: tartiflette_engine_force

You can then verify the execution engine by checking that you received the following response header:
x-dm-graphql-engine: Tartiflette

4. Eligibility for Bounty

We are very thankful to everyone who submits valid reports which help us improve the security of Dailymotion. However, only those that meet the following eligibility criteria may receive a monetary reward under the Bug Bounty Program:

  • You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded);
  • The vulnerability must be a qualifying vulnerability (see sections 5 and 6 below) associated with a site or application in Scope;
  • You must send a clear textual description of the report along with steps to reproduce the issue, please include attachments such as screenshots or proof of concept code as necessary;
  • You must not be a former or current employee of Dailymotion or one of its contractors;
  • The submission must be received after the launch of this Policy (the date of which is stipulated at the bottom).

We intend to respond and resolve reported issues as quickly as possible. Depending on our workload and the severity of the issue you can expect an update from us within 96 hours of the report's initial submission date.

Note that posting details or conversations about the report or posting details that reflect negatively on the Program or the Dailymotion brand, will result in immediate disqualification from ongoing and upcoming reward programs.

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

Dailymotion reserves the right to modify the terms of this Program or terminate this Program at any time.

5. Ground Rules

In order to avoid any confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing and reporting vulnerabilities:

  • Take all reasonable measures to only interact with test accounts you have created on the platform;
  • Do not use physical attacks on our security, social engineering, distributed denial of service, spam or applications of third parties;
  • If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst case scenario;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
  • Report any vulnerability you’ve discovered promptly (i.e. within days, not weeks). Do not take advantage of the vulnerability or problem;
  • Only use the specified communication channels listed below to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible (see Section 8 below for further information);
  • Do not disclose vulnerabilities you've discovered publicly or to any third party until we have formally authorized you to do so in writing;
  • Obviously do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.

Note concerning XSS and CSRF vulnerabilities:

We will tend to rate user session-related XSS and CSRF vulnerabilities, whether stored or reflected, with a low impact in the environmental score. For a (very) significant majority, users are unauthenticated and the chances of successfully exploiting such vulnerabilities are therefore minimized. Typically, a reflected XSS vulnerability on our main domain and implying the theft of user cookies on www. or * will be scored with CVSS 3.3. Please note that, if you are able to demonstrate an ability to exploit these vulnerabilities in creative ways, possibly combined with other vulnerabilities found by yourself, so as to provenly increase the business impact, we will consider this final impact to evaluate the severity. In the event that we choose not to reward a technical vulnerability with no demonstrable business impact (for example because an XSS on a domain that does not host an actual website or has valuable cookies) we reserve the right to fix the technical vulnerability, in order to avoid further submission of the same issue by other researchers.

6. Communication Channels

If you would like to report a security issue, you may do so using any of the following channels:

If you think you’ve found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please include the following details with your report and be as descriptive as possible:

  • Vulnerability Location & Type - The exact location(vulnerable URLs and parameters) and the nature of the vulnerability;
  • Steps to Reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful); and
  • Attack Scenario - A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.

7. Expectations

When working with us according to this Policy, you can expect us to:

  • Work with you to understand and evaluate your report, including an initial response to the report within 96 hours of the report's submission;
  • Work to remedy discovered vulnerabilities in a timely manner;
  • Consider your submission in the context of the Bug Bounty Program, irrespective of if you have initially reported the issue through the Bug Bounty Program's platform.
  • If interested in the Bug Bounty Program, please make sure that you have read and understood the scope of vulnerabilities which qualify for our reward program prior to submitting a report.
  • Please note that our Bug Bounty Program may not be able to issue rewards to individuals who are located in countries where we are prohibited by law from making payments, such as countries on the EU or US sanctions lists.
  • Handle your report with confidentiality and respect written requests for anonymity.
  • Please note that if your submission is eligible for our reward program, the payment process will require you to disclose your identity to our Bug Bounty Program's payment partner, for legal reasons.

8. Legal Matters

When conducting vulnerability research in good faith and in accordance with the terms specified in this Policy, we consider this research to be:

  • Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.

We won’t take legal action against, suspend, or terminate access to the Service for those who discover and report security vulnerabilities responsibly. Dailymotion reserves all of its legal rights in the event of any noncompliance.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our above mentioned communication channels (in Section 8) before going any further.

Last updated: Oct 03, 2019

In Scope

Scope Type Scope Name



dailymotion Partner












Out of Scope

Scope Type Scope Name

Anything that's not listed as part of the scope.

The progam has been crawled by Firebounty on 2018-12-12 and updated on 2019-10-05, 397 reports have been received so far.

FireBounty © 2015-2020

Legal notices